What personal data can you collect in research and how long can you keep these?

Purpose limitation

First of all, it is important to know that personal data may only be processed for a well-defined (specified), explicitly defined purpose (purpose limitation). If you are going to collect personal data to conduct scientific research, then the purpose of the processing is "to conduct scientific research as referred to in the Higher Education and Scientific Research Act and the Netherlands Code of Conduct on Scientific Integrity on [research purpose]." Of course, it is also possible that certain personal data were initially collected for a purpose other than conducting scientific research. The GDPR states, therefore, that further processing of those personal data for the purpose of scientific research is compatible with the original purpose for which the data were collected. However, there are certain requirements on how that data should be handled (see also our page on integrity and confidentiality).

Data minimization

One of the principles of the GDPR is data minimization: the researcher may only collect personal data that are necessary for the purpose of the scientific research, but also ensures that sufficient data are collected in order to be able to answer the research question. An example would be that when researching workplace satisfaction, the researcher normally should only ask questions about workplace atmosphere and satisfaction with facilities. The researcher could also ask questions about diet, smoking, and drinking habits, but in the context of data minimization, this is most likely not allowed, as the survey does not focus on the lifestyle of employees. Therefore, these data are not needed to answer the research question.

Thanks to data minimization, a data subject is assured that no more privacy-sensitive data than necessary about him or her are floating around an organization. That alone ensures more privacy. It also reduces the impact of incorrect processing. Examples include access by an unauthorized person, or even theft by hackers. Data that an organization does not own cannot end up on the street or be seen by the wrong people. Therefore always ask yourself the question: do I really need these data in order to be able to answer my research question?

In view of data minimization, it is also advisable to pseudonymize or, if possible, anonymize research data as soon as possible. More information can be found on the page on integrity and confidentiality of personal data in research.

Storage of data

It is important that data after completion of the research project are stored carefully. From a privacy perspective, data should not be kept longer than necessary for the purpose for which they were collected, but from other perspectives (e.g., scientific integrity or open science) other retention periods may apply. It is important to consider the various perspectives when determining retention periods for research data. Directly traceable personal data (mainly contact information and informed consent) may be kept separately as long as necessary, but these can often be deleted earlier than the research data, which are kept for a minimum of 10 years in line with the Research Data Management Regulations.

Contact data of (potential) respondents

In the case of pseudonymization, a researcher should at least ensure that the contact data of (potential) respondents are stored and retained separately from other research data.

Files containing contact data should be accessible only to those who actually need access. Normally these are:

• The principal investigator(s) involved; 
• The supervisor. 

Contact data that can be linked to the dataset should be removed by the researcher as soon as possible (within 6 months unless longer is necessary) as long as it does not conflict with the interests of the scientific research.